SID 1:44565

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Trend Micro SPS and IMS diagnostic.log session disclosure attempt

Rule Explanation

This rule looks for HTTP requests for '/widget/repository/log/diagnostic.log'. A vulnerability has been identified where there are improper access controls placed on the log file and which makes it publicly accessible. An unauthenticated user could read this log file and gain access to the session tokens that have been assigned, thereby bypassing the need to authenticate themselves.

What To Look For

This rule alerts when a user attempts to access a log file on a Trend Micro SPS and IMS host that contains session tokens.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Reconnaissance::Gather Victim Host Information

Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.

CVE

CVE-2017-11398 CVE-2018-3609

Additional Links

pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/

success.trendmicro.com/solution/1119277

Rule Vulnerability

Authentication Bypass

An Authentication Bypass occurs when there is a way to avoid providing user credentials to a system before performing restricted operations on said system.

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

CVE-2017-11398

Loading description

CVE-2018-3609

Loading description